Changeset 235261 in webkit

Timestamp:

Aug 23, 2018 4:57:03 PM (6 years ago)

Author:

sbarati@apple.com

Message:

JSRunLoopTimer may run part of a member function after it's destroyed
​https://bugs.webkit.org/show_bug.cgi?id=188426

Reviewed by Mark Lam.

Source/JavaScriptCore:

When I was reading the JSRunLoopTimer code, I noticed that it is possible
to end up running timer code after the class had been destroyed.

The issue I spotted was in this function:
`
void JSRunLoopTimer::timerDidFire()
{

JSLock* apiLock = m_apiLock.get();
if (!apiLock) {

Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
return;

}
HERE
std::lock_guard<JSLock> lock(*apiLock);
RefPtr<VM> vm = apiLock->vm();
if (!vm) {

The VM has been destroyed, so we should just give up.
return;

}

doWork();

}
`

Look at the comment 'HERE'. Let's say that the timer callback thread gets context
switched before grabbing the API lock. Then, some other thread destroys the VM.
And let's say that the VM owns (perhaps transitively) this timer. Then, the
timer would run code and access member variables after it was destroyed.

This patch fixes this issue by introducing a new timer manager class.
This class manages timers on a per VM basis. When a timer is scheduled,
this class refs the timer. It also calls the timer callback while actively
maintaining a +1 ref to it. So, it's no longer possible to call the timer
callback after the timer has been destroyed. However, calling a timer callback
can still race with the VM being destroyed. We continue to detect this case and
bail out of the callback early.

This patch also removes a lot of duplicate code between GCActivityCallback
and JSRunLoopTimer.

• heap/EdenGCActivityCallback.cpp:

(JSC::EdenGCActivityCallback::doCollection):
(JSC::EdenGCActivityCallback::lastGCLength):
(JSC::EdenGCActivityCallback::deathRate):

• heap/EdenGCActivityCallback.h:
• heap/FullGCActivityCallback.cpp:

(JSC::FullGCActivityCallback::doCollection):
(JSC::FullGCActivityCallback::lastGCLength):
(JSC::FullGCActivityCallback::deathRate):

• heap/FullGCActivityCallback.h:
• heap/GCActivityCallback.cpp:

(JSC::GCActivityCallback::doWork):
(JSC::GCActivityCallback::scheduleTimer):
(JSC::GCActivityCallback::didAllocate):
(JSC::GCActivityCallback::willCollect):
(JSC::GCActivityCallback::cancel):
(JSC::GCActivityCallback::cancelTimer): Deleted.
(JSC::GCActivityCallback::nextFireTime): Deleted.

• heap/GCActivityCallback.h:
• heap/Heap.cpp:

(JSC::Heap::reportAbandonedObjectGraph):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didAllocate):

• heap/IncrementalSweeper.cpp:

(JSC::IncrementalSweeper::scheduleTimer):
(JSC::IncrementalSweeper::doWork):
(JSC::IncrementalSweeper::doSweep):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::stopSweeping):

• heap/IncrementalSweeper.h:
• heap/StopIfNecessaryTimer.cpp:

(JSC::StopIfNecessaryTimer::doWork):
(JSC::StopIfNecessaryTimer::scheduleSoon):

• heap/StopIfNecessaryTimer.h:
• runtime/JSRunLoopTimer.cpp:

(JSC::epochTime):
(JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
(JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
(JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
(JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
(JSC::JSRunLoopTimer::Manager::timerDidFire):
(JSC::JSRunLoopTimer::Manager::shared):
(JSC::JSRunLoopTimer::Manager::registerVM):
(JSC::JSRunLoopTimer::Manager::unregisterVM):
(JSC::JSRunLoopTimer::Manager::scheduleTimer):
(JSC::JSRunLoopTimer::Manager::cancelTimer):
(JSC::JSRunLoopTimer::Manager::timeUntilFire):
(JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
(JSC::JSRunLoopTimer::timerDidFire):
(JSC::JSRunLoopTimer::JSRunLoopTimer):
(JSC::JSRunLoopTimer::timeUntilFire):
(JSC::JSRunLoopTimer::setTimeUntilFire):
(JSC::JSRunLoopTimer::cancelTimer):
(JSC::JSRunLoopTimer::setRunLoop): Deleted.
(JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
(JSC::JSRunLoopTimer::scheduleTimer): Deleted.

• runtime/JSRunLoopTimer.h:

(JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):

• runtime/PromiseDeferredTimer.cpp:

(JSC::PromiseDeferredTimer::doWork):
(JSC::PromiseDeferredTimer::runRunLoop):
(JSC::PromiseDeferredTimer::addPendingPromise):
(JSC::PromiseDeferredTimer::hasPendingPromise):
(JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
(JSC::PromiseDeferredTimer::cancelPendingPromise):
(JSC::PromiseDeferredTimer::scheduleWorkSoon):

• runtime/PromiseDeferredTimer.h:
• runtime/VM.cpp:

(JSC::VM::VM):
(JSC::VM::~VM):
(JSC::VM::setRunLoop):
(JSC::VM::registerRunLoopTimer): Deleted.
(JSC::VM::unregisterRunLoopTimer): Deleted.

• runtime/VM.h:

(JSC::VM::runLoop const):

• wasm/js/WebAssemblyPrototype.cpp:

(JSC::webAssemblyModuleValidateAsyncInternal):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::webAssemblyModuleInstantinateAsyncInternal):
(JSC::webAssemblyCompileStreamingInternal):
(JSC::webAssemblyInstantiateStreamingInternal):

Source/WebCore:

• page/cocoa/ResourceUsageThreadCocoa.mm:

(WebCore::ResourceUsageThread::platformThreadBody):

• page/linux/ResourceUsageThreadLinux.cpp:

(WebCore::ResourceUsageThread::platformThreadBody):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/heap/EdenGCActivityCallback.cpp (modified) (1 diff)
• JavaScriptCore/heap/EdenGCActivityCallback.h (modified) (1 diff)
• JavaScriptCore/heap/FullGCActivityCallback.cpp (modified) (2 diffs)
• JavaScriptCore/heap/FullGCActivityCallback.h (modified) (2 diffs)
• JavaScriptCore/heap/GCActivityCallback.cpp (modified) (5 diffs)
• JavaScriptCore/heap/GCActivityCallback.h (modified) (3 diffs)
• JavaScriptCore/heap/Heap.cpp (modified) (4 diffs)
• JavaScriptCore/heap/IncrementalSweeper.cpp (modified) (7 diffs)
• JavaScriptCore/heap/IncrementalSweeper.h (modified) (1 diff)
• JavaScriptCore/heap/StopIfNecessaryTimer.cpp (modified) (3 diffs)
• JavaScriptCore/heap/StopIfNecessaryTimer.h (modified) (1 diff)
• JavaScriptCore/runtime/JSRunLoopTimer.cpp (modified) (6 diffs)
• JavaScriptCore/runtime/JSRunLoopTimer.h (modified) (2 diffs)
• JavaScriptCore/runtime/PromiseDeferredTimer.cpp (modified) (11 diffs)
• JavaScriptCore/runtime/PromiseDeferredTimer.h (modified) (1 diff)
• JavaScriptCore/runtime/VM.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/VM.h (modified) (2 diffs)
• JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp (modified) (6 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/page/cocoa/ResourceUsageThreadCocoa.mm (modified) (1 diff)
• WebCore/page/linux/ResourceUsageThreadLinux.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-08-23  Saam barati  <sbarati@apple.com>
+
+        JSRunLoopTimer may run part of a member function after it's destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=188426
+
+        Reviewed by Mark Lam.
+
+        When I was reading the JSRunLoopTimer code, I noticed that it is possible
+        to end up running timer code after the class had been destroyed.
+        
+        The issue I spotted was in this function:
+        ```
+        void JSRunLoopTimer::timerDidFire()
+        {
+            JSLock* apiLock = m_apiLock.get();
+            if (!apiLock) {
+                // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
+                return;
+            }
+            // HERE
+            std::lock_guard<JSLock> lock(*apiLock);
+            RefPtr<VM> vm = apiLock->vm();
+            if (!vm) {
+                // The VM has been destroyed, so we should just give up.
+                return;
+            }
+        
+            doWork();
+        }
+        ```
+        
+        Look at the comment 'HERE'. Let's say that the timer callback thread gets context
+        switched before grabbing the API lock. Then, some other thread destroys the VM.
+        And let's say that the VM owns (perhaps transitively) this timer. Then, the
+        timer would run code and access member variables after it was destroyed.
+        
+        This patch fixes this issue by introducing a new timer manager class. 
+        This class manages timers on a per VM basis. When a timer is scheduled,
+        this class refs the timer. It also calls the timer callback while actively
+        maintaining a +1 ref to it. So, it's no longer possible to call the timer
+        callback after the timer has been destroyed. However, calling a timer callback
+        can still race with the VM being destroyed. We continue to detect this case and
+        bail out of the callback early.
+        
+        This patch also removes a lot of duplicate code between GCActivityCallback
+        and JSRunLoopTimer.
+
+        * heap/EdenGCActivityCallback.cpp:
+        (JSC::EdenGCActivityCallback::doCollection):
+        (JSC::EdenGCActivityCallback::lastGCLength):
+        (JSC::EdenGCActivityCallback::deathRate):
+        * heap/EdenGCActivityCallback.h:
+        * heap/FullGCActivityCallback.cpp:
+        (JSC::FullGCActivityCallback::doCollection):
+        (JSC::FullGCActivityCallback::lastGCLength):
+        (JSC::FullGCActivityCallback::deathRate):
+        * heap/FullGCActivityCallback.h:
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::doWork):
+        (JSC::GCActivityCallback::scheduleTimer):
+        (JSC::GCActivityCallback::didAllocate):
+        (JSC::GCActivityCallback::willCollect):
+        (JSC::GCActivityCallback::cancel):
+        (JSC::GCActivityCallback::cancelTimer): Deleted.
+        (JSC::GCActivityCallback::nextFireTime): Deleted.
+        * heap/GCActivityCallback.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::reportAbandonedObjectGraph):
+        (JSC::Heap::notifyIncrementalSweeper):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::didAllocate):
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::scheduleTimer):
+        (JSC::IncrementalSweeper::doWork):
+        (JSC::IncrementalSweeper::doSweep):
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        (JSC::IncrementalSweeper::startSweeping):
+        (JSC::IncrementalSweeper::stopSweeping):
+        * heap/IncrementalSweeper.h:
+        * heap/StopIfNecessaryTimer.cpp:
+        (JSC::StopIfNecessaryTimer::doWork):
+        (JSC::StopIfNecessaryTimer::scheduleSoon):
+        * heap/StopIfNecessaryTimer.h:
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::epochTime):
+        (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
+        (JSC::JSRunLoopTimer::Manager::timerDidFire):
+        (JSC::JSRunLoopTimer::Manager::shared):
+        (JSC::JSRunLoopTimer::Manager::registerVM):
+        (JSC::JSRunLoopTimer::Manager::unregisterVM):
+        (JSC::JSRunLoopTimer::Manager::scheduleTimer):
+        (JSC::JSRunLoopTimer::Manager::cancelTimer):
+        (JSC::JSRunLoopTimer::Manager::timeUntilFire):
+        (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
+        (JSC::JSRunLoopTimer::timerDidFire):
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::timeUntilFire):
+        (JSC::JSRunLoopTimer::setTimeUntilFire):
+        (JSC::JSRunLoopTimer::cancelTimer):
+        (JSC::JSRunLoopTimer::setRunLoop): Deleted.
+        (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
+        (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
+        * runtime/JSRunLoopTimer.h:
+        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::runRunLoop):
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+        (JSC::PromiseDeferredTimer::hasPendingPromise):
+        (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
+        (JSC::PromiseDeferredTimer::cancelPendingPromise):
+        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
+        * runtime/PromiseDeferredTimer.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        (JSC::VM::setRunLoop):
+        (JSC::VM::registerRunLoopTimer): Deleted.
+        (JSC::VM::unregisterRunLoopTimer): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::runLoop const):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyModuleValidateAsyncInternal):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyModuleInstantinateAsyncInternal):
+        (JSC::webAssemblyCompileStreamingInternal):
+        (JSC::webAssemblyInstantiateStreamingInternal):
+
 2018-08-23  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp

@@ -37 +37 @@
 }
 
-void EdenGCActivityCallback::doCollection()
+void EdenGCActivityCallback::doCollection(VM& vm)
 {
-    m_vm->heap.collectAsync(CollectionScope::Eden);
+    vm.heap.collectAsync(CollectionScope::Eden);
 }
 
-Seconds EdenGCActivityCallback::lastGCLength()
+Seconds EdenGCActivityCallback::lastGCLength(Heap& heap)
 {
-    return m_vm->heap.lastEdenGCLength();
+    return heap.lastEdenGCLength();
 }
 
-double EdenGCActivityCallback::deathRate()
+double EdenGCActivityCallback::deathRate(Heap& heap)
 {
-    Heap* heap = &m_vm->heap;
-    size_t sizeBefore = heap->sizeBeforeLastEdenCollection();
-    size_t sizeAfter = heap->sizeAfterLastEdenCollection();
+    size_t sizeBefore = heap.sizeBeforeLastEdenCollection();
+    size_t sizeAfter = heap.sizeAfterLastEdenCollection();
     if (!sizeBefore)
         return 1.0;

trunk/Source/JavaScriptCore/heap/EdenGCActivityCallback.h

@@ -34 +34 @@
     EdenGCActivityCallback(Heap*);
 
-    void doCollection() override;
+    void doCollection(VM&) override;
 
 protected:
-    Seconds lastGCLength() override;
+    Seconds lastGCLength(Heap&) override;
     double gcTimeSlice(size_t bytes) override;
-    double deathRate() override;
+    double deathRate(Heap&) override;
 };
 

trunk/Source/JavaScriptCore/heap/FullGCActivityCallback.cpp

@@ -40 +40 @@
 }
 
-void FullGCActivityCallback::doCollection()
+void FullGCActivityCallback::doCollection(VM& vm)
 {
-    Heap& heap = m_vm->heap;
+    Heap& heap = vm.heap;
     m_didGCRecently = false;
 
@@ -57 +57 @@
 }
 
-Seconds FullGCActivityCallback::lastGCLength()
+Seconds FullGCActivityCallback::lastGCLength(Heap& heap)
 {
-    return m_vm->heap.lastFullGCLength();
+    return heap.lastFullGCLength();
 }
 
-double FullGCActivityCallback::deathRate()
+double FullGCActivityCallback::deathRate(Heap& heap)
 {
-    Heap* heap = &m_vm->heap;
-    size_t sizeBefore = heap->sizeBeforeLastFullCollection();
-    size_t sizeAfter = heap->sizeAfterLastFullCollection();
+    size_t sizeBefore = heap.sizeBeforeLastFullCollection();
+    size_t sizeAfter = heap.sizeAfterLastFullCollection();
     if (!sizeBefore)
         return 1.0;

trunk/Source/JavaScriptCore/heap/FullGCActivityCallback.h

@@ -34 +34 @@
     FullGCActivityCallback(Heap*);
 
-    void doCollection() override;
+    void doCollection(VM&) override;
 
     bool didGCRecently() const { return m_didGCRecently; }
@@ -40 +40 @@
 
 protected:
-    Seconds lastGCLength() override;
+    Seconds lastGCLength(Heap&) override;
     double gcTimeSlice(size_t bytes) override;
-    double deathRate() override;
+    double deathRate(Heap&) override;
 
     bool m_didGCRecently { false };

trunk/Source/JavaScriptCore/heap/GCActivityCallback.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -46 +46 @@
 }
 
-void GCActivityCallback::doWork()
+void GCActivityCallback::doWork(VM& vm)
 {
-    Heap* heap = &m_vm->heap;
     if (!isEnabled())
         return;
     
-    JSLockHolder locker(m_vm);
-    if (heap->isDeferred()) {
+    ASSERT(vm.currentThreadIsHoldingAPILock());
+    Heap& heap = vm.heap;
+    if (heap.isDeferred()) {
         scheduleTimer(0_s);
         return;
     }
 
-    doCollection();
+    doCollection(vm);
 }
 
-#if USE(CF)
 void GCActivityCallback::scheduleTimer(Seconds newDelay)
 {
@@ -68 +67 @@
     Seconds delta = m_delay - newDelay;
     m_delay = newDelay;
-    CFRunLoopTimerSetNextFireDate(m_timer.get(), CFRunLoopTimerGetNextFireDate(m_timer.get()) - delta.seconds());
+    if (auto timeUntilFire = this->timeUntilFire())
+        setTimeUntilFire(*timeUntilFire - delta);
+    else
+        setTimeUntilFire(newDelay);
 }
 
-void GCActivityCallback::cancelTimer()
-{
-    m_delay = s_decade;
-    CFRunLoopTimerSetNextFireDate(m_timer.get(), CFAbsoluteTimeGetCurrent() + s_decade.seconds());
-}
-
-MonotonicTime GCActivityCallback::nextFireTime()
-{
-    return MonotonicTime::now() + Seconds(CFRunLoopTimerGetNextFireDate(m_timer.get()) - CFAbsoluteTimeGetCurrent());
-}
-#else
-void GCActivityCallback::scheduleTimer(Seconds newDelay)
-{
-    if (newDelay * timerSlop > m_delay)
-        return;
-    Seconds delta = m_delay - newDelay;
-    m_delay = newDelay;
-
-    Seconds secondsUntilFire = m_timer.secondsUntilFire();
-    m_timer.startOneShot(std::max<Seconds>(secondsUntilFire - delta, 0_s));
-}
-
-void GCActivityCallback::cancelTimer()
-{
-    m_delay = s_decade;
-    m_timer.startOneShot(s_decade);
-}
-
-MonotonicTime GCActivityCallback::nextFireTime()
-{
-    return MonotonicTime::now() + m_timer.secondsUntilFire();
-}
-#endif
-
-void GCActivityCallback::didAllocate(size_t bytes)
+void GCActivityCallback::didAllocate(Heap& heap, size_t bytes)
 {
     // The first byte allocated in an allocation cycle will report 0 bytes to didAllocate. 
@@ -111 +79 @@
     if (!bytes)
         bytes = 1;
-    double bytesExpectedToReclaim = static_cast<double>(bytes) * deathRate();
-    Seconds newDelay = lastGCLength() / gcTimeSlice(bytesExpectedToReclaim);
+    double bytesExpectedToReclaim = static_cast<double>(bytes) * deathRate(heap);
+    Seconds newDelay = lastGCLength(heap) / gcTimeSlice(bytesExpectedToReclaim);
     scheduleTimer(newDelay);
 }
@@ -118 +86 @@
 void GCActivityCallback::willCollect()
 {
-    cancelTimer();
+    cancel();
 }
 
 void GCActivityCallback::cancel()
 {
+    m_delay = s_decade;
     cancelTimer();
 }

trunk/Source/JavaScriptCore/heap/GCActivityCallback.h

@@ -49 +49 @@
     GCActivityCallback(Heap*);
 
-    void doWork() override;
+    void doWork(VM&) override;
 
-    virtual void doCollection() = 0;
+    virtual void doCollection(VM&) = 0;
 
-    virtual void didAllocate(size_t);
-    virtual void willCollect();
-    virtual void cancel();
+    void didAllocate(Heap&, size_t);
+    void willCollect();
+    void cancel();
     bool isEnabled() const { return m_enabled; }
     void setEnabled(bool enabled) { m_enabled = enabled; }
@@ -61 +61 @@
     static bool s_shouldCreateGCTimer;
 
-    MonotonicTime nextFireTime();
-
 protected:
-    virtual Seconds lastGCLength() = 0;
+    virtual Seconds lastGCLength(Heap&) = 0;
     virtual double gcTimeSlice(size_t bytes) = 0;
-    virtual double deathRate() = 0;
+    virtual double deathRate(Heap&) = 0;
 
     GCActivityCallback(VM* vm)
@@ -78 +76 @@
 
 protected:
-    void cancelTimer();
     void scheduleTimer(Seconds);
 

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -540 +540 @@
     // we hasten the next collection by pretending that we've allocated more memory. 
     if (m_fullActivityCallback) {
-        m_fullActivityCallback->didAllocate(
+        m_fullActivityCallback->didAllocate(*this,
             m_sizeAfterLastCollect - m_sizeAfterLastFullCollect + m_bytesAllocatedThisCycle + m_bytesAbandonedSinceLastFullCollect);
     }
@@ -2195 +2195 @@
     }
 
-    m_sweeper->startSweeping();
+    m_sweeper->startSweeping(*this);
 }
 
@@ -2274 +2274 @@
         if (m_fullActivityCallback) {
             ASSERT(currentHeapSize >= m_sizeAfterLastFullCollect);
-            m_fullActivityCallback->didAllocate(currentHeapSize - m_sizeAfterLastFullCollect);
+            m_fullActivityCallback->didAllocate(*this, currentHeapSize - m_sizeAfterLastFullCollect);
         }
     }
@@ -2355 +2355 @@
 {
     if (m_edenActivityCallback)
-        m_edenActivityCallback->didAllocate(m_bytesAllocatedThisCycle + m_bytesAbandonedSinceLastFullCollect);
+        m_edenActivityCallback->didAllocate(*this, m_bytesAllocatedThisCycle + m_bytesAbandonedSinceLastFullCollect);
     m_bytesAllocatedThisCycle += bytes;
     performIncrement(bytes);

trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35 +35 @@
 namespace JSC {
 
-static const Seconds sweepTimeSlice = 10_ms; // seconds
+static const Seconds sweepTimeSlice = 10_ms;
 static const double sweepTimeTotal = .10;
 static const double sweepTimeMultiplier = 1.0 / sweepTimeTotal;
@@ -41 +41 @@
 void IncrementalSweeper::scheduleTimer()
 {
-    Base::scheduleTimer(sweepTimeSlice * sweepTimeMultiplier);
+    setTimeUntilFire(sweepTimeSlice * sweepTimeMultiplier);
 }
 
@@ -50 +50 @@
 }
 
-void IncrementalSweeper::doWork()
+void IncrementalSweeper::doWork(VM& vm)
 {
-    doSweep(MonotonicTime::now());
+    doSweep(vm, MonotonicTime::now());
 }
 
-void IncrementalSweeper::doSweep(MonotonicTime sweepBeginTime)
+void IncrementalSweeper::doSweep(VM& vm, MonotonicTime sweepBeginTime)
 {
-    while (sweepNextBlock()) {
+    while (sweepNextBlock(vm)) {
         Seconds elapsedTime = MonotonicTime::now() - sweepBeginTime;
         if (elapsedTime < sweepTimeSlice)
@@ -73 +73 @@
 }
 
-bool IncrementalSweeper::sweepNextBlock()
+bool IncrementalSweeper::sweepNextBlock(VM& vm)
 {
-    m_vm->heap.stopIfNecessary();
+    vm.heap.stopIfNecessary();
 
     MarkedBlock::Handle* block = nullptr;
@@ -86 +86 @@
     
     if (block) {
-        DeferGCForAWhile deferGC(m_vm->heap);
+        DeferGCForAWhile deferGC(vm.heap);
         block->sweep(nullptr);
-        m_vm->heap.objectSpace().freeOrShrinkBlock(block);
+        vm.heap.objectSpace().freeOrShrinkBlock(block);
         return true;
     }
 
-    return m_vm->heap.sweepNextLogicallyEmptyWeakBlock();
+    return vm.heap.sweepNextLogicallyEmptyWeakBlock();
 }
 
-void IncrementalSweeper::startSweeping()
+void IncrementalSweeper::startSweeping(Heap& heap)
 {
     scheduleTimer();
-    m_currentDirectory = m_vm->heap.objectSpace().firstDirectory();
+    m_currentDirectory = heap.objectSpace().firstDirectory();
 }
 
@@ -104 +104 @@
 {
     m_currentDirectory = nullptr;
-    if (m_vm)
-        cancelTimer();
+    cancelTimer();
 }
 

trunk/Source/JavaScriptCore/heap/IncrementalSweeper.h

@@ -38 +38 @@
     JS_EXPORT_PRIVATE explicit IncrementalSweeper(Heap*);
 
-    JS_EXPORT_PRIVATE void startSweeping();
+    JS_EXPORT_PRIVATE void startSweeping(Heap&);
     void freeFastMallocMemoryAfterSweeping() { m_shouldFreeFastMallocMemoryAfterSweeping = true; }
 
-    JS_EXPORT_PRIVATE void doWork() override;
-    bool sweepNextBlock();
-    JS_EXPORT_PRIVATE void stopSweeping();
+    void doWork(VM&) override;
+    void stopSweeping();
 
 private:
-    void doSweep(MonotonicTime startTime);
+    bool sweepNextBlock(VM&);
+    void doSweep(VM&, MonotonicTime startTime);
     void scheduleTimer();
     

trunk/Source/JavaScriptCore/heap/StopIfNecessaryTimer.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -36 +36 @@
 }
 
-void StopIfNecessaryTimer::doWork()
+void StopIfNecessaryTimer::doWork(VM& vm)
 {
     cancelTimer();
     WTF::storeStoreFence();
-    m_vm->heap.stopIfNecessary();
+    vm.heap.stopIfNecessary();
 }
 
@@ -49 +49 @@
         return;
     }
-    scheduleTimer(0_s);
+    setTimeUntilFire(0_s);
 }
 

trunk/Source/JavaScriptCore/heap/StopIfNecessaryTimer.h

@@ -37 +37 @@
     explicit StopIfNecessaryTimer(VM*);
     
-    void doWork() override;
+    void doWork(VM&) override;
     
     void scheduleSoon();

trunk/Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "JSRunLoopTimer.h"
 
-#include "GCActivityCallback.h"
 #include "IncrementalSweeper.h"
 #include "JSCInlines.h"
@@ -34 +33 @@
 
 #include <wtf/MainThread.h>
+#include <wtf/NoTailCalls.h>
 #include <wtf/Threading.h>
 
@@ -47 +47 @@
 const Seconds JSRunLoopTimer::s_decade { 60 * 60 * 24 * 365 * 10 };
 
+static inline JSRunLoopTimer::Manager::EpochTime epochTime(Seconds delay)
+{
+#if USE(CF)
+    return Seconds { CFAbsoluteTimeGetCurrent() + delay.value() };
+#else
+    return MonotonicTime::now().secondsSinceEpoch() + delay;
+#endif
+}
+
+#if USE(CF)
+void JSRunLoopTimer::Manager::timerDidFireCallback(CFRunLoopTimerRef, void* contextPtr)
+{
+    static_cast<JSRunLoopTimer::Manager*>(contextPtr)->timerDidFire();
+}
+
+void JSRunLoopTimer::Manager::PerVMData::setRunLoop(Manager* manager, CFRunLoopRef newRunLoop)
+{
+    if (runLoop) {
+        CFRunLoopRemoveTimer(runLoop.get(), timer.get(), kCFRunLoopCommonModes);
+        CFRunLoopTimerInvalidate(timer.get());
+        runLoop.clear();
+        timer.clear();
+    }
+
+    if (newRunLoop) {
+        runLoop = newRunLoop;
+        memset(&context, 0, sizeof(CFRunLoopTimerContext));
+        RELEASE_ASSERT(manager);
+        context.info = manager;
+        timer = adoptCF(CFRunLoopTimerCreate(kCFAllocatorDefault, CFAbsoluteTimeGetCurrent() + s_decade.seconds(), CFAbsoluteTimeGetCurrent() + s_decade.seconds(), 0, 0, JSRunLoopTimer::Manager::timerDidFireCallback, &context));
+        CFRunLoopAddTimer(runLoop.get(), timer.get(), kCFRunLoopCommonModes);
+
+        EpochTime scheduleTime = epochTime(s_decade);
+        for (auto& pair : timers)
+            scheduleTime = std::min(pair.second, scheduleTime);
+        CFRunLoopTimerSetNextFireDate(timer.get(), scheduleTime.value());
+    }
+}
+#else
+JSRunLoopTimer::Manager::PerVMData::PerVMData(Manager& manager)
+    : runLoop(&RunLoop::current())
+    , timer(std::make_unique<RunLoop::Timer<Manager>>(*runLoop, &manager, &JSRunLoopTimer::Manager::timerDidFireCallback))
+{
+#if USE(GLIB_EVENT_LOOP)
+    timer->setPriority(RunLoopSourcePriority::JavascriptTimer);
+    timer->setName("[JavaScriptCore] JSRunLoopTimer");
+#endif
+}
+
+void JSRunLoopTimer::Manager::timerDidFireCallback()
+{
+    timerDidFire();
+}
+#endif
+
+JSRunLoopTimer::Manager::PerVMData::~PerVMData()
+{
+#if USE(CF)
+    setRunLoop(nullptr, nullptr);
+#endif
+}
+
+void JSRunLoopTimer::Manager::timerDidFire()
+{
+    Vector<Ref<JSRunLoopTimer>> timersToFire;
+
+    {
+        auto locker = holdLock(m_lock);
+#if USE(CF)
+        CFRunLoopRef currentRunLoop = CFRunLoopGetCurrent();
+#else
+        RunLoop* currentRunLoop = &RunLoop::current();
+#endif
+        EpochTime nowEpochTime = epochTime(0_s);
+        for (auto& entry : m_mapping) {
+            PerVMData& data = entry.value;
+#if USE(CF)
+            if (data.runLoop.get() != currentRunLoop)
+                continue;
+#else
+            if (data.runLoop != currentRunLoop)
+                continue;
+#endif
+            
+            EpochTime scheduleTime = epochTime(s_decade);
+            for (size_t i = 0; i < data.timers.size(); ++i) {
+                {
+                    auto& pair = data.timers[i];
+                    if (pair.second > nowEpochTime) {
+                        scheduleTime = std::min(pair.second, scheduleTime);
+                        continue;
+                    }
+                    auto& last = data.timers.last();
+                    if (&last != &pair)
+                        std::swap(pair, last);
+                    --i;
+                }
+
+                auto pair = data.timers.takeLast();
+                timersToFire.append(WTFMove(pair.first));
+            }
+
+#if USE(CF)
+            CFRunLoopTimerSetNextFireDate(data.timer.get(), scheduleTime.value());
+#else
+            data.timer->startOneShot(std::max(0_s, scheduleTime - MonotonicTime::now().secondsSinceEpoch()));
+#endif
+        }
+    }
+
+    for (auto& timer : timersToFire)
+        timer->timerDidFire();
+}
+
+JSRunLoopTimer::Manager& JSRunLoopTimer::Manager::shared()
+{
+    static Manager* manager;
+    static std::once_flag once;
+    std::call_once(once, [&] {
+        manager = new Manager;
+    });
+    return *manager;
+}
+
+void JSRunLoopTimer::Manager::registerVM(VM& vm)
+{
+    PerVMData data { *this };
+#if USE(CF)
+    data.setRunLoop(this, vm.runLoop());
+#endif
+
+    auto locker = holdLock(m_lock);
+    auto addResult = m_mapping.add({ vm.apiLock() }, WTFMove(data));
+    RELEASE_ASSERT(addResult.isNewEntry);
+}
+
+void JSRunLoopTimer::Manager::unregisterVM(VM& vm)
+{
+    auto locker = holdLock(m_lock);
+
+    auto iter = m_mapping.find({ vm.apiLock() });
+    RELEASE_ASSERT(iter != m_mapping.end());
+    m_mapping.remove(iter);
+}
+
+void JSRunLoopTimer::Manager::scheduleTimer(JSRunLoopTimer& timer, Seconds delay)
+{
+    EpochTime fireEpochTime = epochTime(delay);
+
+    auto locker = holdLock(m_lock);
+    auto iter = m_mapping.find(timer.m_apiLock);
+    RELEASE_ASSERT(iter != m_mapping.end()); // We don't allow calling this after the VM dies.
+
+    PerVMData& data = iter->value;
+    EpochTime scheduleTime = fireEpochTime;
+    bool found = false;
+    for (auto& entry : data.timers) {
+        if (entry.first.ptr() == &timer) {
+            entry.second = fireEpochTime;
+            found = true;
+        }
+        scheduleTime = std::min(scheduleTime, entry.second);
+    }
+
+    if (!found)
+        data.timers.append({ timer, fireEpochTime });
+
+#if USE(CF)
+    CFRunLoopTimerSetNextFireDate(data.timer.get(), scheduleTime.value());
+#else
+    data.timer->startOneShot(std::max(0_s, scheduleTime - MonotonicTime::now().secondsSinceEpoch()));
+#endif
+}
+
+void JSRunLoopTimer::Manager::cancelTimer(JSRunLoopTimer& timer)
+{
+    auto locker = holdLock(m_lock);
+    auto iter = m_mapping.find(timer.m_apiLock);
+    if (iter == m_mapping.end()) {
+        // It's trivial to allow this to be called after the VM dies, so we allow for it.
+        return;
+    }
+
+    PerVMData& data = iter->value;
+    EpochTime scheduleTime = epochTime(s_decade);
+    for (unsigned i = 0; i < data.timers.size(); ++i) {
+        {
+            auto& entry = data.timers[i];
+            if (entry.first.ptr() == &timer) {
+                RELEASE_ASSERT(timer.refCount() >= 2); // If we remove it from the entry below, we should not be the last thing pointing to it!
+                auto& last = data.timers.last();
+                if (&last != &entry)
+                    std::swap(entry, last);
+                data.timers.removeLast();
+                i--;
+                continue;
+            }
+        }
+
+        scheduleTime = std::min(scheduleTime, data.timers[i].second);
+    }
+
+#if USE(CF)
+    CFRunLoopTimerSetNextFireDate(data.timer.get(), scheduleTime.value());
+#else
+    data.timer->startOneShot(std::max(0_s, scheduleTime - MonotonicTime::now().secondsSinceEpoch()));
+#endif
+}
+
+std::optional<Seconds> JSRunLoopTimer::Manager::timeUntilFire(JSRunLoopTimer& timer)
+{
+    auto locker = holdLock(m_lock);
+    auto iter = m_mapping.find(timer.m_apiLock);
+    RELEASE_ASSERT(iter != m_mapping.end()); // We only allow this to be called with a live VM.
+
+    PerVMData& data = iter->value;
+    for (auto& entry : data.timers) {
+        if (entry.first.ptr() == &timer) {
+            EpochTime nowEpochTime = epochTime(0_s);
+            return entry.second - nowEpochTime;
+        }
+    }
+
+    return std::nullopt;
+}
+
+#if USE(CF)
+void JSRunLoopTimer::Manager::didChangeRunLoop(VM& vm, CFRunLoopRef newRunLoop)
+{
+    auto locker = holdLock(m_lock);
+    auto iter = m_mapping.find({ vm.apiLock() });
+    RELEASE_ASSERT(iter != m_mapping.end());
+
+    PerVMData& data = iter->value;
+    data.setRunLoop(this, newRunLoop);
+}
+#endif
+
 void JSRunLoopTimer::timerDidFire()
 {
-    JSLock* apiLock = m_apiLock.get();
-    if (!apiLock) {
-        // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
-        return;
-    }
-
-    std::lock_guard<JSLock> lock(*apiLock);
-    RefPtr<VM> vm = apiLock->vm();
+    NO_TAIL_CALLS();
+
+    {
+        auto locker = holdLock(m_lock);
+        if (!m_isScheduled) {
+            // We raced between this callback being called and cancel() being called.
+            // That's fine, we just don't do anything here.
+            return;
+        }
+    }
+
+    std::lock_guard<JSLock> lock(m_apiLock.get());
+    RefPtr<VM> vm = m_apiLock->vm();
     if (!vm) {
         // The VM has been destroyed, so we should just give up.
@@ -62 +305 @@
     }
 
-    doWork();
-}
-
-#if USE(CF)
+    doWork(*vm);
+}
 
 JSRunLoopTimer::JSRunLoopTimer(VM* vm)
-    : m_vm(vm)
-    , m_apiLock(&vm->apiLock())
-{
-    m_vm->registerRunLoopTimer(this);
-}
-
-void JSRunLoopTimer::setRunLoop(CFRunLoopRef runLoop)
-{
-    if (m_runLoop) {
-        CFRunLoopRemoveTimer(m_runLoop.get(), m_timer.get(), kCFRunLoopCommonModes);
-        CFRunLoopTimerInvalidate(m_timer.get());
-        m_runLoop.clear();
-        m_timer.clear();
-    }
-
-    m_runLoop = runLoop;
-    if (runLoop) {
-        memset(&m_context, 0, sizeof(CFRunLoopTimerContext));
-        m_context.info = this;
-        m_timer = adoptCF(CFRunLoopTimerCreate(kCFAllocatorDefault, CFAbsoluteTimeGetCurrent() + s_decade.seconds(), s_decade.seconds(), 0, 0, JSRunLoopTimer::timerDidFireCallback, &m_context));
-        CFRunLoopAddTimer(m_runLoop.get(), m_timer.get(), kCFRunLoopCommonModes);
-    }
+    : m_apiLock(vm->apiLock())
+{
 }
 
 JSRunLoopTimer::~JSRunLoopTimer()
 {
-    JSLock* apiLock = m_apiLock.get();
-    std::lock_guard<JSLock> lock(*apiLock);
-    m_vm->unregisterRunLoopTimer(this);
-    m_apiLock = nullptr;
-}
-
-void JSRunLoopTimer::timerDidFireCallback(CFRunLoopTimerRef, void* contextPtr)
-{
-    static_cast<JSRunLoopTimer*>(contextPtr)->timerDidFire();
-}
-
-void JSRunLoopTimer::scheduleTimer(Seconds intervalInSeconds)
-{
-    CFRunLoopTimerSetNextFireDate(m_timer.get(), CFAbsoluteTimeGetCurrent() + intervalInSeconds.seconds());
-    m_isScheduled = true;
+}
+
+std::optional<Seconds> JSRunLoopTimer::timeUntilFire()
+{
+    return Manager::shared().timeUntilFire(*this);
+}
+
+void JSRunLoopTimer::setTimeUntilFire(Seconds intervalInSeconds)
+{
+    {
+        auto locker = holdLock(m_lock);
+        m_isScheduled = true;
+        Manager::shared().scheduleTimer(*this, intervalInSeconds);
+    }
+
     auto locker = holdLock(m_timerCallbacksLock);
     for (auto& task : m_timerSetCallbacks)
@@ -116 +337 @@
 void JSRunLoopTimer::cancelTimer()
 {
-    CFRunLoopTimerSetNextFireDate(m_timer.get(), CFAbsoluteTimeGetCurrent() + s_decade.seconds());
+    auto locker = holdLock(m_lock);
     m_isScheduled = false;
-}
-
-#else
-
-JSRunLoopTimer::JSRunLoopTimer(VM* vm)
-    : m_vm(vm)
-    , m_apiLock(&vm->apiLock())
-    , m_timer(RunLoop::current(), this, &JSRunLoopTimer::timerDidFireCallback)
-{
-#if USE(GLIB_EVENT_LOOP)
-    m_timer.setPriority(RunLoopSourcePriority::JavascriptTimer);
-    m_timer.setName("[JavaScriptCore] JSRunLoopTimer");
-#endif
-    m_timer.startOneShot(s_decade);
-}
-
-JSRunLoopTimer::~JSRunLoopTimer()
-{
-}
-
-void JSRunLoopTimer::timerDidFireCallback()
-{
-    m_timer.startOneShot(s_decade);
-    timerDidFire();
-}
-
-void JSRunLoopTimer::scheduleTimer(Seconds intervalInSeconds)
-{
-    m_timer.startOneShot(intervalInSeconds);
-    m_isScheduled = true;
-
-    auto locker = holdLock(m_timerCallbacksLock);
-    for (auto& task : m_timerSetCallbacks)
-        task->run();
-}
-
-void JSRunLoopTimer::cancelTimer()
-{
-    m_timer.startOneShot(s_decade);
-    m_isScheduled = false;
-}
-
-#endif
+    Manager::shared().cancelTimer(*this);
+}
 
 void JSRunLoopTimer::addTimerSetNotification(TimerNotificationCallback callback)

trunk/Source/JavaScriptCore/runtime/JSRunLoopTimer.h

@@ -48 +48 @@
     using TimerNotificationCallback = RefPtr<WTF::SharedTask<TimerNotificationType>>;
 
-    JSRunLoopTimer(VM*);
+    class Manager {
 #if USE(CF)
-    static void timerDidFireCallback(CFRunLoopTimerRef, void*);
+        static void timerDidFireCallback(CFRunLoopTimerRef, void*);
 #else
-    void timerDidFireCallback();
+        void timerDidFireCallback();
 #endif
 
+        void timerDidFire();
+
+    public:
+        using EpochTime = Seconds;
+
+        static Manager& shared();
+        void registerVM(VM&);
+        void unregisterVM(VM&);
+        void scheduleTimer(JSRunLoopTimer&, Seconds nextFireTime);
+        void cancelTimer(JSRunLoopTimer&);
+
+        std::optional<Seconds> timeUntilFire(JSRunLoopTimer&);
+
+#if USE(CF)
+        void didChangeRunLoop(VM&, CFRunLoopRef newRunLoop);
+#endif
+
+    private:
+        Lock m_lock;
+
+        struct PerVMData {
+            PerVMData() = default;
+#if USE(CF)
+            PerVMData(Manager&) { }
+#else
+            PerVMData(Manager&);
+#endif
+            PerVMData(PerVMData&&) = default;
+            PerVMData& operator=(PerVMData&&) = default;
+
+            ~PerVMData();
+
+#if USE(CF)
+            void setRunLoop(Manager*, CFRunLoopRef);
+            RetainPtr<CFRunLoopTimerRef> timer;
+            RetainPtr<CFRunLoopRef> runLoop;
+            CFRunLoopTimerContext context;
+#else
+            RunLoop* runLoop;
+            std::unique_ptr<RunLoop::Timer<Manager>> timer;
+#endif
+            Vector<std::pair<Ref<JSRunLoopTimer>, EpochTime>> timers;
+        };
+
+        HashMap<Ref<JSLock>, PerVMData> m_mapping;
+    };
+
+    JSRunLoopTimer(VM*);
     JS_EXPORT_PRIVATE virtual ~JSRunLoopTimer();
-    virtual void doWork() = 0;
+    virtual void doWork(VM&) = 0;
 
-    void scheduleTimer(Seconds intervalInSeconds);
+    void setTimeUntilFire(Seconds intervalInSeconds);
     void cancelTimer();
     bool isScheduled() const { return m_isScheduled; }
 
     // Note: The only thing the timer notification callback cannot do is
-    // call scheduleTimer(). This will cause a deadlock. It would not
+    // call setTimeUntilFire(). This will cause a deadlock. It would not
     // be hard to make this work, however, there are no clients that need
     // this behavior. We should implement it only if we find that we need it.
@@ -69 +117 @@
     JS_EXPORT_PRIVATE void removeTimerSetNotification(TimerNotificationCallback);
 
-#if USE(CF)
-    JS_EXPORT_PRIVATE void setRunLoop(CFRunLoopRef);
-#endif // USE(CF)
+    JS_EXPORT_PRIVATE std::optional<Seconds> timeUntilFire();
 
 protected:
-    VM* m_vm;
+    static const Seconds s_decade;
+    Ref<JSLock> m_apiLock;
 
-    static const Seconds s_decade;
+private:
+    friend class Manager;
 
-    RefPtr<JSLock> m_apiLock;
+    void timerDidFire();
+
+    HashSet<TimerNotificationCallback> m_timerSetCallbacks;
+    Lock m_timerCallbacksLock;
+
+    Lock m_lock;
     bool m_isScheduled { false };
-#if USE(CF)
-    RetainPtr<CFRunLoopTimerRef> m_timer;
-    RetainPtr<CFRunLoopRef> m_runLoop;
-
-    CFRunLoopTimerContext m_context;
-
-    Lock m_shutdownMutex;
-#else
-    RunLoop::Timer<JSRunLoopTimer> m_timer;
-#endif
-
-    Lock m_timerCallbacksLock;
-    HashSet<TimerNotificationCallback> m_timerSetCallbacks;
-    
-private:
-    void timerDidFire();
 };
     

trunk/Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44 +44 @@
 }
 
-void PromiseDeferredTimer::doWork()
+void PromiseDeferredTimer::doWork(VM& vm)
 {
-    ASSERT(m_vm->currentThreadIsHoldingAPILock());
+    ASSERT(vm.currentThreadIsHoldingAPILock());
     m_taskLock.lock();
     cancelTimer();
@@ -67 +67 @@
 
             task();
-            m_vm->drainMicrotasks();
+            vm.drainMicrotasks();
 
             m_taskLock.lock();
@@ -76 +76 @@
     if (m_pendingPromises.isEmpty() && m_shouldStopRunLoopWhenAllPromisesFinish) {
 #if USE(CF)
-        CFRunLoopStop(m_runLoop.get());
+        CFRunLoopStop(vm.runLoop());
 #else
         RunLoop::current().stop();
@@ -87 +87 @@
 void PromiseDeferredTimer::runRunLoop()
 {
-    ASSERT(!m_vm->currentThreadIsHoldingAPILock());
+    ASSERT(!m_apiLock->vm()->currentThreadIsHoldingAPILock());
 #if USE(CF)
-    ASSERT(CFRunLoopGetCurrent() == m_runLoop.get());
+    ASSERT(CFRunLoopGetCurrent() == m_apiLock->vm()->runLoop());
 #endif
     m_shouldStopRunLoopWhenAllPromisesFinish = true;
-    if (m_pendingPromises.size())
+    if (m_pendingPromises.size()) {
 #if USE(CF)
         CFRunLoopRun();
@@ -98 +98 @@
         RunLoop::run();
 #endif
+    }
 }
 
-void PromiseDeferredTimer::addPendingPromise(JSPromiseDeferred* ticket, Vector<Strong<JSCell>>&& dependencies)
+void PromiseDeferredTimer::addPendingPromise(VM& vm, JSPromiseDeferred* ticket, Vector<Strong<JSCell>>&& dependencies)
 {
-    ASSERT(m_vm->currentThreadIsHoldingAPILock());
+    ASSERT(vm.currentThreadIsHoldingAPILock());
     for (unsigned i = 0; i < dependencies.size(); ++i)
         ASSERT(dependencies[i].get() != ticket);
@@ -109 +110 @@
     if (result.isNewEntry) {
         dataLogLnIf(PromiseDeferredTimerInternal::verbose, "Adding new pending promise: ", RawPointer(ticket));
-        dependencies.append(Strong<JSCell>(*m_vm, ticket));
+        dependencies.append(Strong<JSCell>(vm, ticket));
         result.iterator->value = WTFMove(dependencies);
     } else {
@@ -123 +124 @@
 bool PromiseDeferredTimer::hasPendingPromise(JSPromiseDeferred* ticket)
 {
-    ASSERT(m_vm->currentThreadIsHoldingAPILock());
+    ASSERT(ticket->vm()->currentThreadIsHoldingAPILock());
     return m_pendingPromises.contains(ticket);
 }
@@ -129 +130 @@
 bool PromiseDeferredTimer::hasDependancyInPendingPromise(JSPromiseDeferred* ticket, JSCell* dependency)
 {
-    ASSERT(m_vm->currentThreadIsHoldingAPILock());
+    ASSERT(ticket->vm()->currentThreadIsHoldingAPILock());
     ASSERT(m_pendingPromises.contains(ticket));
 
@@ -138 +139 @@
 bool PromiseDeferredTimer::cancelPendingPromise(JSPromiseDeferred* ticket)
 {
-    ASSERT(m_vm->currentThreadIsHoldingAPILock());
+    ASSERT(ticket->vm()->currentThreadIsHoldingAPILock());
     bool result = m_pendingPromises.remove(ticket);
 
@@ -152 +153 @@
     m_tasks.append(std::make_tuple(ticket, WTFMove(task)));
     if (!isScheduled() && !m_currentlyRunningTask)
-        scheduleTimer(0_s);
+        setTimeUntilFire(0_s);
 }
 

trunk/Source/JavaScriptCore/runtime/PromiseDeferredTimer.h

@@ -45 +45 @@
     PromiseDeferredTimer(VM&);
 
-    void doWork() override;
+    void doWork(VM&) override;
 
-    void addPendingPromise(JSPromiseDeferred*, Vector<Strong<JSCell>>&& dependencies);
+    void addPendingPromise(VM&, JSPromiseDeferred*, Vector<Strong<JSCell>>&& dependencies);
     JS_EXPORT_PRIVATE bool hasPendingPromise(JSPromiseDeferred* ticket);
     JS_EXPORT_PRIVATE bool hasDependancyInPendingPromise(JSPromiseDeferred* ticket, JSCell* dependency);

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -382 +382 @@
     setLastStackTop(stack.origin());
 
+    JSRunLoopTimer::Manager::shared().registerVM(*this);
+
     // Need to be careful to keep everything consistent here
     JSLockHolder lock(this);
@@ -582 +584 @@
     m_apiLock->willDestroyVM(this);
     heap.lastChanceToFinalize();
+
+    JSRunLoopTimer::Manager::shared().unregisterVM(*this);
     
     delete interpreter;
@@ -1210 +1214 @@
 
 #if USE(CF)
-void VM::registerRunLoopTimer(JSRunLoopTimer* timer)
-{
-    ASSERT(runLoop());
-    ASSERT(!m_runLoopTimers.contains(timer));
-    m_runLoopTimers.add(timer);
-    timer->setRunLoop(runLoop());
-}
-
-void VM::unregisterRunLoopTimer(JSRunLoopTimer* timer)
-{
-    ASSERT(m_runLoopTimers.contains(timer));
-    m_runLoopTimers.remove(timer);
-    timer->setRunLoop(nullptr);
-}
-
 void VM::setRunLoop(CFRunLoopRef runLoop)
 {
     ASSERT(runLoop);
     m_runLoop = runLoop;
-    for (auto timer : m_runLoopTimers)
-        timer->setRunLoop(runLoop);
+    JSRunLoopTimer::Manager::shared().didChangeRunLoop(*this, runLoop);
 }
 #endif // USE(CF)

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -308 +308 @@
 #if USE(CF)
     // These need to be initialized before heap below.
-    HashSet<JSRunLoopTimer*> m_runLoopTimers;
     RetainPtr<CFRunLoopRef> m_runLoop;
 #endif
@@ -888 +887 @@
 #if USE(CF)
     CFRunLoopRef runLoop() const { return m_runLoop.get(); }
-    void registerRunLoopTimer(JSRunLoopTimer*);
-    void unregisterRunLoopTimer(JSRunLoopTimer*);
     JS_EXPORT_PRIVATE void setRunLoop(CFRunLoopRef);
 #endif // USE(CF)

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp

@@ -92 +92 @@
     dependencies.append(Strong<JSCell>(vm, globalObject));
 
-    vm.promiseDeferredTimer->addPendingPromise(promise, WTFMove(dependencies));
+    vm.promiseDeferredTimer->addPendingPromise(vm, promise, WTFMove(dependencies));
 
     Wasm::Module::validateAsync(&vm.wasmContext, WTFMove(source), createSharedTask<Wasm::Module::CallbackType>([promise, globalObject, &vm] (Wasm::Module::ValidationResult&& result) mutable {
@@ -174 +174 @@
     dependencies.append(Strong<JSCell>(vm, instance));
     dependencies.append(Strong<JSCell>(vm, importObject));
-    vm.promiseDeferredTimer->addPendingPromise(promise, WTFMove(dependencies));
+    vm.promiseDeferredTimer->addPendingPromise(vm, promise, WTFMove(dependencies));
     // Note: This completion task may or may not get called immediately.
     module->module().compileAsync(&vm.wasmContext, instance->memoryMode(), createSharedTask<Wasm::CodeBlock::CallbackType>([promise, instance, module, importObject, resolveKind, creationMode, &vm] (Ref<Wasm::CodeBlock>&& refCodeBlock) mutable {
@@ -195 +195 @@
     dependencies.append(Strong<JSCell>(vm, importObject));
     dependencies.append(Strong<JSCell>(vm, moduleKeyCell));
-    vm.promiseDeferredTimer->addPendingPromise(promise, WTFMove(dependencies));
+    vm.promiseDeferredTimer->addPendingPromise(vm, promise, WTFMove(dependencies));
 
     Vector<uint8_t> source = createSourceBufferFromValue(vm, exec, buffer);
@@ -232 +232 @@
     dependencies.append(Strong<JSCell>(vm, importObject));
     dependencies.append(Strong<JSCell>(vm, globalObject));
-    vm.promiseDeferredTimer->addPendingPromise(promise, WTFMove(dependencies));
+    vm.promiseDeferredTimer->addPendingPromise(vm, promise, WTFMove(dependencies));
 
     Wasm::Module::validateAsync(&vm.wasmContext, WTFMove(source), createSharedTask<Wasm::Module::CallbackType>([promise, importObject, globalObject, &vm] (Wasm::Module::ValidationResult&& result) mutable {
@@ -311 +311 @@
     Vector<Strong<JSCell>> dependencies;
     dependencies.append(Strong<JSCell>(vm, globalObject));
-    vm.promiseDeferredTimer->addPendingPromise(promise, WTFMove(dependencies));
+    vm.promiseDeferredTimer->addPendingPromise(vm, promise, WTFMove(dependencies));
 
     if (globalObject->globalObjectMethodTable()->compileStreaming)
@@ -348 +348 @@
                 dependencies.append(Strong<JSCell>(vm, globalObject));
                 dependencies.append(Strong<JSCell>(vm, importObject));
-                vm.promiseDeferredTimer->addPendingPromise(promise, WTFMove(dependencies));
+                vm.promiseDeferredTimer->addPendingPromise(vm, promise, WTFMove(dependencies));
 
                 // FIXME: <http://webkit.org/b/184888> if there's an importObject and it contains a Memory, then we can compile the module with the right memory type (fast or not) by looking at the memory's type.

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-08-23  Saam barati  <sbarati@apple.com>
+
+        JSRunLoopTimer may run part of a member function after it's destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=188426
+
+        Reviewed by Mark Lam.
+
+        * page/cocoa/ResourceUsageThreadCocoa.mm:
+        (WebCore::ResourceUsageThread::platformThreadBody):
+        * page/linux/ResourceUsageThreadLinux.cpp:
+        (WebCore::ResourceUsageThread::platformThreadBody):
+
 2018-08-23  David Fenton  <david_fenton@apple.com>
 

trunk/Source/WebCore/page/cocoa/ResourceUsageThreadCocoa.mm

@@ -249 +249 @@
     data.totalExternalSize = currentGCOwnedExternal;
 
-    data.timeOfNextEdenCollection = vm->heap.edenActivityCallback()->nextFireTime();
-    data.timeOfNextFullCollection = vm->heap.fullActivityCallback()->nextFireTime();
+    auto now = MonotonicTime::now();
+    data.timeOfNextEdenCollection = now + vm->heap.edenActivityCallback()->timeUntilFire().value_or(Seconds(std::numeric_limits<double>::infinity()));
+    data.timeOfNextFullCollection = now + vm->heap.fullActivityCallback()->timeUntilFire().value_or(Seconds(std::numeric_limits<double>::infinity()));
 }
 

trunk/Source/WebCore/page/linux/ResourceUsageThreadLinux.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2017 Igalia S.L.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -169 +170 @@
     data.totalExternalSize = currentGCOwnedExternal;
 
-    data.timeOfNextEdenCollection = vm->heap.edenActivityCallback()->nextFireTime();
-    data.timeOfNextFullCollection = vm->heap.fullActivityCallback()->nextFireTime();
+    auto now = MonotonicTime::now();
+    data.timeOfNextEdenCollection = now + vm->heap.edenActivityCallback()->timeUntilFire().value_or(Seconds(std::numeric_limits<double>::infinity()));
+    data.timeOfNextFullCollection = now + vm->heap.fullActivityCallback()->timeUntilFire().value_or(Seconds(std::numeric_limits<double>::infinity()));
 }